Flask oauth 2 resource owner password flow

Question

I'm using flask-oauthlib module to develop both oauth 2 client and provider

When using resource owner password flow, the provider won't redirect to client's redirect url.

Here is my client code for sending post to provider:

@app.route('/signin', methods=['POST', 'GET'])
def signin():
    if request.method == 'POST':
        username = request.form.get('username')
        password = request.form.get('password')
        f = {'client_id': 'jCce40zAaHXLxP0prU*************',
             'client_secret': 'vzf7U219hrAjIYN70NcFo3VBQzott******',
             'grant_type': 'password', 'scope': 'email',
             'redirect_uri': 'http://localhost:8000/authorized', 'response_type': 'token'}
        data = {'username': username, 'password': password}
        encoded_url = 'http://127.0.0.1:5000/oauth/authorize?' + parse.urlencode(f)
        headers = {"Content-Type": "application/json"}
        requests.post(encoded_url, data=json.dumps(data), headers=headers)
    return render_template('signin.html')

And here is provider authorize_handler

@app.route('/oauth/authorize', methods=['GET', 'POST'])
@oauth.authorize_handler
def authorize(*args, **kwargs):
    if request.method == 'POST':
        details = json.loads(request.data)
        username = details['username']
        password = details['password']
        user = User.query.filter_by(user_name=username).first()
        if user:
            if user.check_password(password):
               session['id'] = user.id
               return True
            return False
        return False

    if request.method == 'GET':
        user = current_user()
        if not user:
            session['redirect_after_login'] = request.url
            return redirect('/home')
        client_id = kwargs.get('client_id')
        client = Client.query.filter_by(client_id=client_id).first()
        kwargs['client'] = client
        kwargs['user'] = user
        return render_template('authorize.html', **kwargs)

    confirm = request.form.get('confirm', 'no')
    return confirm == 'yes'

Also Flask-oauthlib oauth 2 provider logging

Fetched credentials from request {'response_type': 'token', 'state': None, 'client_id': 'jCce40zAaHXLxP0prU************', 'redirect_uri': 'http://localhost:8000/authorized'}.
Found redirect_uri http://localhost:8000/authorized.
Validate client 'jCce40zAaHXLxP0prU***********'
Save bearer token {'scope': 'email', 'access_token': 'y08hkm594YbLe2*****', 'expires_in': 180, 'token_type': 'Bearer'}
Authorization successful.
127.0.0.1 - - [20/Sep/2015 17:40:53] "POST /oauth/authorize?client_id=jCce40zAaHXLxP0prU*********&client_secret=vzf7U219hrAjIYN70NcFo3VBQzot**********&response_type=token&grant_type=password&scope=email&redirect_uri=http%3A%2F%2Flocalhost%3A8000%2Fauthorized HTTP/1.1" 302 -

The way I see it, the token is being saved but:-

Redirection does not occur
It cause the client to load like forever until I restart it (Even if I tried to access other routes, the client does not respond)

What am I missing ?

NB:

I've implemented server side flow and client side flow and they worked fine

I'm still new to flask

score 2 · Answer 1 · edited Oct 07 '21 at 06:01

2

I think you are mixing different grant types of OAuth2. With the Resource Owner Password Credentials grant, the authorization server does not do a redirect, instead it provides a token response to the client.

https://www.rfc-editor.org/rfc/rfc6749#section-4.3

redirect_uris are associated with the Authorization Code grant.

edited Oct 07 '21 at 06:01

Community

1
1

answered Jan 15 '16 at 21:25

Wenn

339
2
4
14

Flask oauth 2 resource owner password flow

1 Answers1